sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-24 02:04:21 +03:00
Code

kdc: Include values from msDS-User-Account-Control-Computed when checking user flags

Browse Source 
Change-Id: I27280d7dd139c6c65dddac611dbdcd7e518ee536
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andrew Bartlett 2013-10-30 10:50:19 +13:00 committed by Stefan Metzmacher
parent 10cbd5e430
commit 997e120f66
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
source4/kdc/db-glue.c
View File

@ -546,6 +546,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
{
struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
uint32_t userAccountControl;
uint32_t msDS_User_Account_Control_Computed;
unsigned int i;
krb5_error_code ret = 0;
krb5_boolean is_computer = FALSE;
@ -604,6 +605,25 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
msDS_User_Account_Control_Computed
= ldb_msg_find_attr_as_uint(msg,
"msDS-User-Account-Control-Computed",
UF_ACCOUNTDISABLE);
/*
* This brings in the lockout flag, block the account if not
* found. We need the weird UF_ACCOUNTDISABLE check because
* we do not want to fail open if the value is not returned,
* but 0 is a valid value (all OK)
*/
if (msDS_User_Account_Control_Computed == UF_ACCOUNTDISABLE) {
ret = EINVAL;
krb5_set_error_message(context, ret, "samba_kdc_message2entry: "
"no msDS-User-Account-Control-Computed present");
goto out;
} else {
userAccountControl |= msDS_User_Account_Control_Computed;
}
entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {